Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hackers Target WordPress Sites via WP Cost Estimation Plugin

Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder.

Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder.

Developed by Loopus, the plugin allows WordPress website administrators to create cost calculators and payment forms. The tool is offered on CodeCanyon for $28 and it has been purchased from this marketplace nearly 12,000 times.

Defiant, the developer of the Wordfence security plugin for WordPress websites, reported on Wednesday that it has been seeing attacks exploiting vulnerabilities in WP Cost Estimation & Payment Forms Builder to plant backdoors on websites.

The targeted flaws were patched by the developer months ago, but since no security warning was issued many users have not installed the updates and left their websites vulnerable to attacks.

According to Wordfence researchers, malicious actors have been exploiting two vulnerabilities related to uploading and deleting files.

WP Cost Estimation normally prevents users from uploading dangerous file types to the server, but a flaw in the plugin allowed them to upload malicious PHP files with an apparently harmless extension.

The second flaw allows attackers to delete arbitrary files. In the attacks spotted by Wordfence, they deleted the wp-config.php file, which makes WordPress believe that a fresh install is taking place – since no database configuration is present – enabling the hacker to connect the site to their own database and log in as administrator.

While both vulnerabilities should allow hackers to achieve the same goal, both security holes have been exploited in attacks aimed at the same site, which has led experts to believe that the file upload exploit did not produce the expected result.

Advertisement. Scroll to continue reading.

Discussions on CodeCanyon reveal that several users reported that their sites had been hacked through this plugin. Some of the messages exchanged between the developer and users of WP Cost Estimation roughly 4 months ago suggest that the flaws may have had a zero-day status at some point – malicious actors exploited the weaknesses before the developer learned of their existence.

While investigating the efficiency of the patches released for these vulnerabilities, Wordfence researchers discovered another potentially serious flaw – an upload directory traversal issue that can be exploited to overwrite any file with a whitelisted type.

“Even with a whitelist only allowing images and archives to be uploaded, an attacker could cause serious trouble with an exploit. Any image on a site could be overwritten, allowing defacement campaigns to replace them en masse. If any backups are kept in an accessible location in a zip archive, an attacker could replace this backup with their own poisoned version, containing new users in the database or backdoors buried elsewhere in the file structure. When the backup is restored (perhaps following a mysterious case of overwritten images), these backdoors would be deployed,” the researchers explained.

Wordfence researchers reported this flaw to Loopus on January 26 and a patch was released a few days later.

It’s not uncommon for malicious actors to exploit recently patched or zero-day flaws affecting plugins to target WordPress websites. Recently disclosed attacks involved the AMP for WP, WordPress GDPR Compliance, and Total Donations plugins.

Related: WordPress Patches Privilege Escalation Vulnerabilities

Related: Former Employee Hacks Popular WordPress Plugin’s Website

Related: WordPress to Warn on Outdated PHP Versions

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...